Who sent the email? IT Security

ivrytwr3 · 10 Jun 2015 at 07:41

Morning all,

Random question of the day!

A client of ours mentioned in passing that they had received an email from a .ac.uk address to their personal hotmail account. I offered to have a quick look at the email and what i have learned:

a. Contents is definitely spam ie 'reply here to get your millions' with the link being to a @163.com email (Chinese free email account).

b. The senders email address is detailed as a member of the University (quick google of the uni sites shows the person works there ie [email protected]

I am thinking that the email has been spoofed or the uni account hacked/compromised. I have got the email headers (but to be honest i am not sure what i am looking for there - lol!)

Any ideas from my geek brethren?

Kuros · 10 Jun 2015 at 08:21

My general assumption would be that member of staff from the university has put their password somewhere onto a forged site or something along them lines, possibly after following an email link to 'download an email attachment'. All scripted that the moment the bot has access to someone's email, they'll spam an email to anyone/everyone.

Yaayuh! · 10 Jun 2015 at 08:26

What does the email header say?

memyselfandi · 10 Jun 2015 at 08:45

My first thought would be that the sender was probably spoofed

RoyMi6 · 10 Jun 2015 at 09:00

As others have mentioned the sender was most likely just spoofed: http://en.wikipedia.org/wiki/Email_spoofing

Goliath · 10 Jun 2015 at 09:05

Kuros said:
My general assumption would be that member of staff from the university has put their password somewhere onto a forged site or something along them lines, possibly after following an email link to 'download an email attachment'. All scripted that the moment the bot has access to someone's email, they'll spam an email to anyone/everyone.

This. The uni in question should have an [email protected] address (or similar, Google it), they'd appreciate it if you forwarded on the email with a "looks like you've got a compromised account" message. They'll be used to dealing with this sort of thing, as academics have a tendency to be astonishingly stupid sometimes (I had one who put his bank details into a phishing link even though it was for a different bank......)

neil_g · 10 Jun 2015 at 09:19

Rossi~ said:
What does the email header say?

this. was it sent from one of the unis mail servers?

LizardKing · 10 Jun 2015 at 10:41

Put the IP in the header in a rdns lookup and it should come back with the domain name of the university.

I'd hope a university has spf records setup to least mitigate this sort of thing!

russell664 · 10 Jun 2015 at 10:45

Possibly change the password of those concerned would be an option?

ivrytwr3 · 10 Jun 2015 at 11:13

I ran the header txt through 3 or 4 different lookups and all came back showing the path was from the University.

neil_g · 10 Jun 2015 at 11:16

Time for a password reset on the user then. Also a full malware scan in case it was a keylogger.

Brutos · 10 Jun 2015 at 11:16

Mostly email has been hacked spoofed..i would have them reset their passwords and confirm if they recently entered their email in any doggy third party site

slinxy · 10 Jun 2015 at 11:21

This is the issue where users use their work email address for personal reasons!

The sad thing is that most don't know any better not to use it... for goodness shake; just sign up for a free online mail account.